 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Xblade Of Heaven
Master Cheater
 Reputation: 0
Joined: 16 Oct 2005
Posts: 395
Location: DEAD
|
 Posted: Mon Mar 11, 2013 5:03 pm Post subject: |
 |
|
this game have dll injection protection?
_________________
Welcome to the Hell.
 |
|
| Back to top |
|
 |
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Tue Mar 12, 2013 2:10 am Post subject: |
|
|
Integrity Check Bypass Auto Assembler Script here: http://forum.cheatengine.org/viewtopic.php?p=5462159#5462159
Modify any memory you want now  No Crash! Uses the copy entire Crysis 3 memory region and redirect ECX register method.
| Geri wrote: |
The better method is to follow what happens with the gathered data. It usually goes like gather data, all sorts of transformations, compare the result to see if it matches the original, conditional jump to crash or continue if everything is cool. If you find the last conditional jump and just switch it to everything is cool, then you are usually done with that protection.
However it may happen that the game has a 10, 100 or more similar protections. Sometimes there is just one, sometimes there are tons of them. |
Since I've already done the copy untouched memory and redirect ECX method of bypassing this, I decided to try and find that 'one last' conditional jump and either make it unconditional (EB) or nop it... Just for fun 
However I don't think there's just a single 1 that you can modify to defeat this protection in crysis 3... My break and tracer kept crashing sometimes, (maybe because veh? not sure have had this issue with other games before though, or maybe I put the max trace count too high) but each restart I could trace further from where I left off... I was able to go fairly deep into the checker code... and I found some interesting crash code...
So I seen the conditional jump above it and made it unconditional so it would jump over that crash code... and it still crashed... next round, I checked to see if anything was checking that address, and sure enough there was... It seems aside from the main integrity check (as shown in the image on page 1, and the address used in my bypass script) the same kind of check, but it only checks the checker code region rather than crysis game code region... Also there are many inter-woven little checks between a huge array of these conditional jumps in highly obfuscated code...
This kind of thing: (There's many of them and they check them selves and code around them)
| Code: |
Crysis3.exe+22C615C - 56 - push esi
Crysis3.exe+22C615D - 5E - pop esi
Crysis3.exe+22C615E - 8B 13 - mov edx,[ebx]
Crysis3.exe+22C6160 - 01 54 24 1C - add [esp+1C],edx
Crysis3.exe+22C6164 - 83 C3 04 - add ebx,04
Crysis3.exe+22C6167 - 66 FF 4C 24 18 - dec word ptr [esp+18]
Crysis3.exe+22C616C - 90 - nop
Crysis3.exe+22C616D - 75 ED - jne Crysis3.exe+22C615C
Crysis3.exe+22C616F - 80 4C 24 1C 01 - or byte ptr [esp+1C],01
Crysis3.exe+22C6174 - 81 7C 24 1C F90C0000 - cmp [esp+1C],00000CF9
Crysis3.exe+22C617C - 76 09 - jna Crysis3.exe+22C6187
Crysis3.exe+22C617E - 90 - nop
Crysis3.exe+22C617F - BC 00000000 - mov esp,00000000
Crysis3.exe+22C6184 - 90 - nop
Crysis3.exe+22C6185 - FF E4 - jmp esp
Crysis3.exe+22C6187 - 90 - nop
Crysis3.exe+22C6188 - 8B 5C 24 14 - mov ebx,[esp+14]
|
So you get into this tons of checker code, which checks the checker code, which checks the checker code which checks the conditional jumps you want to modify to prevent a crash type deal! lol So it all starts to get very confusing the deeper you get...
As I went further, I discovered another mov esp, 0 and jmp esp (basically a jmp 0 right? instant crash) Then I was like oh no... there's more of these too aren't there... Doing an assembler scan starting from the first place where all this stuff kinda starts (beginning trace from 'ret' of integrity check routine) revealed A TON of these! So I feel like it is more like 100 places you'd have to patch! no probably 200 because of that second check that checks the checker code region...
this: (this one doesn't simply return afterwards though it has more of that those other inter-woven mini checks after it)
| Code: |
Crysis3.exe+255C7BE - 0FB6 19 - movzx ebx,byte ptr [ecx]
Crysis3.exe+255C7C1 - 8B 45 08 - mov eax,[ebp+08]
Crysis3.exe+255C7C4 - 33 C3 - xor eax,ebx
Crysis3.exe+255C7C6 - 41 - inc ecx
Crysis3.exe+255C7C7 - 3B CE - cmp ecx,esi
Crysis3.exe+255C7C9 - 89 45 08 - mov [ebp+08],eax
Crysis3.exe+255C7CC - 72 E8 - jb Crysis3.exe+255C7B6
Crysis3.exe+255C7CE - 5B - pop ebx
Crysis3.exe+255C7CF - 83 EC 20 - sub esp,20
Crysis3.exe+255C7D2 - C7 44 24 1C 06546028 - mov [esp+1C],28605406 : [nvd3dum.dll+958253]
Crysis3.exe+255C7DA - C7 44 24 18 53000100 - mov [esp+18],00010053 : [00000100]
Crysis3.exe+255C7E2 - 89 74 24 14 - mov [esp+14],esi
Crysis3.exe+255C7E6 - BE 9CC75539 - mov esi,Crysis3.exe+255C79C
Crysis3.exe+255C7EB - C1 4C 24 1C 10 - ror [esp+1C],10
Crysis3.exe+255C7F0 - 90 - nop
Crysis3.exe+255C7F1 - 89 6C 24 10 - mov [esp+10],ebp
Crysis3.exe+255C7F5 - 8B DB - mov ebx,ebx
Crysis3.exe+255C7F7 - 8B 2E - mov ebp,[esi]
Crysis3.exe+255C7F9 - 01 6C 24 1C - add [esp+1C],ebp
Crysis3.exe+255C7FD - 83 C6 04 - add esi,04
Crysis3.exe+255C800 - 66 FF 4C 24 18 - dec word ptr [esp+18]
Crysis3.exe+255C805 - 75 EE - jne Crysis3.exe+255C7F5
|
See attached image! I think you get the idea... I tried to find it, but for me it's a time memory trade off, I'd rather have two copies of the game in memory basically, then spend too much time looking for 1 conditional jump that will magically allow you to modify the memory and have a bad checksum and not crash! I'm not saying there isn't one, but by the looks of it there's more like 100 or 200 jumps you have to mod 
_________________
|
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 112
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Tue Mar 12, 2013 3:15 pm Post subject: |
|
|
Yes for just one protection, there is often just one comparison, maybe more. But when there are many protections, it is logical to have different functions for comparing too. That makes it difficult to shut it down with a single jump.
_________________
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Mar 12, 2013 3:57 pm Post subject: |
|
|
Hmm... I don't have the game, but if their patterns are only like:
andThen probably a pair lua aobscans like 7? ?? 90 bc 00 00 00 00 and the same without nop, can allow for an easy search and replace, just force the jump each time and... |
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Thu Mar 14, 2013 10:30 am Post subject: |
|
|
| Gniarf wrote: | Hmm... I don't have the game, but if their patterns are only like:
andThen probably a pair lua aobscans like 7? ?? 90 bc 00 00 00 00 and the same without nop, can allow for an easy search and replace, just force the jump each time and... |
Well I have thought about it, but when I tried to implement such a thing I found WAY more variations then I thought there would be! They are pretty clever! Here's a few more variations:
extra nop in between
| Code: |
Crysis3.exe+3540 - 74 0D - je Crysis3.exe+354F
Crysis3.exe+3542 - 90 - nop
Crysis3.exe+3543 - BC 00000000 - mov esp,00000000
Crysis3.exe+3548 - 90 - nop
Crysis3.exe+3549 - FF E4 - jmp esp
|
extra wierd instruction in between
| Code: |
Crysis3.exe+19000D7 - 74 02 - je Crysis3.exe+19000DB
Crysis3.exe+19000D9 - 0FA5 9D 58907407 - shld [ebp+07749058],cl
Crysis3.exe+19000E0 - BC 00000000 - mov esp,00000000
Crysis3.exe+19000E5 - FF E4 - jmp esp
|
two byte nop in between:
| Code: |
Crysis3.exe+19034F4 - 74 0A - je Crysis3.exe+1903500
Crysis3.exe+19034F6 - 90 - nop
Crysis3.exe+19034F7 - BC 00000000 - mov esp,00000000
Crysis3.exe+19034FC - 8B F6 - mov esi,esi
Crysis3.exe+19034FE - FF E4 - jmp esp
|
shift right in between
| Code: |
Crysis3.exe+190360E - 74 0A - je Crysis3.exe+190361A
Crysis3.exe+1903610 - BC 00000000 - mov esp,00000000
Crysis3.exe+1903615 - C1 EB 00 - shr ebx,00
Crysis3.exe+1903618 - FF E4 - jmp esp
|
etc..
| Code: |
Crysis3.exe+1908F55 - 74 09 - je Crysis3.exe+1908F60
Crysis3.exe+1908F57 - 55 - push ebp
Crysis3.exe+1908F58 - 5D - pop ebp
Crysis3.exe+1908F59 - BC 00000000 - mov esp,00000000
Crysis3.exe+1908F5E - FF E4 - jmp esp
|
etc...
| Code: |
Crysis3.exe+1CA3662 - BC 00000000 - mov esp,00000000
Crysis3.exe+1CA3667 - 87 C9 - xchg ecx,ecx
Crysis3.exe+1CA3669 - FF E4 - jmp esp
|
etc..
I think you get the idea, but here's an intresting one! what does in al,90 do? looks like a variation of crash so that almost proves they have other crash code too! There's a million ways to crash a program! lol
| Code: |
Crysis3.exe+203C9CD - 76 0C - jna Crysis3.exe+203C9DB
Crysis3.exe+203C9CF - BC 00000000 - mov esp,00000000
Crysis3.exe+203C9D4 - 0FA4 D6 - shld esi,edx
Crysis3.exe+203C9D7 - 00 FF - add bh,bh
Crysis3.exe+203C9D9 - E4 90 - in al,90
|
Anyway even if you somehow patch all of them up (you'd have to just nop them I think as sometimes theres not even a conditional or its not that close by) Besides there might even be more ways they crash you, mov esp,0; jmp esp is just an obvious one!
I attempted this (just starting from Crysis3.exe+1000 even though that's not where you'd want to do it [with my other bypass on]) just to see how well it patched em up... then when I did assembly scan for mov esp,00000000 the ones that were still coming up, I'd have to account for way to many variations and I still wouldn't get them all!
| Code: |
//Crysis 3
//Integrity Check Bypass un1337 Method ;) lol
//Steve Andrew
[enable]
alloc(JumpPatcherThread,2048)
label(NextByte)
label(MiniCheck1)
label(MiniCheck2)
label(MiniCheck3)
label(SpecialCheck)
label(SpecialCaseValue)
label(ContinueSpecialCheck)
label(ContinuePatching)
label(CurrentAddy)
label(Trap)
createthread(JumpPatcherThread)
registersymbol(JumpPatcherThread)
registersymbol(CurrentAddy)
JumpPatcherThread:
mov eax,Crysis3.exe+1000
mov ecx,2864000
//check for: 7? ?? bc 00 00 00 00 ff e4
//or: 7? ?? bc 00 00 00 00 ?? ff e4
//or: 7? ?? bc 00 00 00 00 ?? ?? ff e4
//or: 7? ?? bc 00 00 00 00 ?? ?? ?? ff e4
//or: 7? ?? ?? bc 00 00 00 00 ^^
ContinuePatching:
mov [CurrentAddy],eax
xor edx,edx
mov bl,[eax]
and bl,70 //AND'ing the byte with 0x70, then comparing for 0x70 is your 7? ;)
cmp bl,70
jne NextByte
cmp [eax+2],000000bc
jne SpecialCheck
ContinueSpecialCheck:
cmp byte ptr [eax+edx+6],0
jne NextByte
cmp word ptr [eax+edx+7],e4ff
jne MiniCheck1
mov byte ptr [eax],eb
jmp NextByte
MiniCheck1:
cmp byte ptr [eax+edx+8],e4ff
jne MiniCheck2
mov byte ptr [eax],eb
jmp NextByte
MiniCheck2:
cmp byte ptr [eax+edx+9],e4ff
jne MiniCheck3
mov byte ptr [eax],eb
jmp NextByte
MiniCheck3:
cmp byte ptr [eax+edx+a],e4ff
jne NextByte
mov byte ptr [eax],eb
jmp NextByte
SpecialCheck:
mov edx,1
jmp ContinueSpecialCheck
NextByte:
inc eax
dec ecx
test ecx,ecx
jne ContinuePatching
Trap:
jmp Trap
ret
SpecialCaseValue:
dd 0
CurrentAddy:
dd 0
[disable]
|
The only reason you'd want to do this though is to save memory right? So I took the idea of the method that some people have been using (not the infinite loop method) but returning the valid hashes method!
However I don't like to hard code things, and hard coded hashes wont work for everyone anyway! So I made a new script! lol! Checksum Spoofer method!
The problem I ran into is, in order to get the valid hashes you have to bypass your hook itself at least... But after I got that working properly (to just bypass a very small section [just 0x35 bytes of the integrity check not even the whole thing]) then extracting the valid hashes was easy!
This version of this script has a very small footprint (does not even take up more than a few hundred bytes, about 320 bytes to be more exact) but it successfully bypasses you! It's ideal for people who maybe don't have that much memory to be splurging it up with a whole extra copy of the game floating around!
But you'll have to wait just a little bit longer for this one to work compared to the other method... (enough time to see that all three checksums have been backed up) EDIT: actually it's pretty instantaneous after it enables, lol I was some breakpoints I had set that was slowing it down
Visit my thread for it + on CT, or I'll post it here as well: (it'll take a couple seconds to enable, it's an aobscan script)
After enabling add "ChecksumIndex" to your CT, after it reaches '3' you are ready to hack (not sure if any versions of crysis 3 will have more than 3 checksums, but I seems that everyone has three) (for the curious mind, also add 'Checksums' to your ct, if you browse to this location in the memory viewer you'll see the three checksums with the format: [size][checksum][size][checksum][size][checksum] each 4 bytes)
This one did take me many tries to get it quite right, the problem I ran into is that I had to push and pop ECX to keep its value (since I wasn't copying a whole entire region like the other script, and just bypass a very small 35 bytes, without restoring ECX the next time it ran through my hook after getting passed small bypass section, it was still copying the bytes from that area, which were then passed the area I was covering, causing it to get incorrect bytes making the resulting checksum invalid )
| Code: |
//Integrity Check Bypass [Checksum Spoofer Method]
//Crysis 3
//Steve Andrew
[enable]
alloc(IntegrityChecksumSpoofer,512)
aobscan(CheckRoutineStart, 80 3d ? ? ? ? 00 8b 44 24 0c 56 75)
aobscan(CheckRoutineHookAddress, 0f b6 39 8b f0 c1 ee 18 33)
label(CheckRoutineHookAddy)
label(ChecksumSpooferRet)
label(Checksums)
label(ChecksumIndex)
label(CorrectCheckBytes)
label(GetChecksumsWhileCoveringTheseHooks)
label(KeepCounting)
label(GotSizeOfAreaToProtect)
label(SizeOfAreaToProtect)
label(CallHook)
label(SizeOfAreaThisChecksumCovers)
label(AlreadyGotChecksums)
label(GetNextValidChecksum)
label(ReturnValidChecksum)
label(SkipHidingTheseHooks)
registersymbol(CheckRoutineHookAddy)
registersymbol(CallHook)
registersymbol(Checksums)
registersymbol(ChecksumIndex)
IntegrityChecksumSpoofer:
pushfd
cmp [CorrectCheckBytes],8b39b60f
je GetChecksumsWhileCoveringTheseHooks
push eax
push ecx
xor ecx,ecx
mov eax,CheckRoutineHookAddress
KeepCounting:
cmp dword ptr [eax],0c2474ff
je GotSizeOfAreaToProtect
inc eax
inc ecx
jmp KeepCounting
GotSizeOfAreaToProtect:
add ecx,0d //add 13 to it
mov [SizeOfAreaToProtect],ecx
mov esi,CheckRoutineHookAddress
mov edi,CorrectCheckBytes
repe movsb
//fix the only hook copied to that correct memory
mov edi,CorrectCheckBytes
mov [edi],8b39b60f
mov byte ptr [edi+4],f0
//do second hook, hooking the call of this routine
mov esi,CheckRoutineHookAddress
add esi,[SizeOfAreaToProtect]
sub esi,5 //go do the start of the 'call [x]' instruction
//to - from - 5
mov edi,CallHook
sub edi,esi
sub edi,5
//hook that call ;) [change it to a jump]
mov byte ptr [esi],e9
mov [esi+1],edi
pop ecx
pop eax
jmp GetChecksumsWhileCoveringTheseHooks
//so we can get the return value / correct checksums + sizes
CallHook:
//could also use [esp]: base address of checksum area
mov eax,[esp+4] //size of checksum area
mov [SizeOfAreaThisChecksumCovers],eax
call CheckRoutineStart
pushfd
cmp [ChecksumIndex],3
je AlreadyGotChecksums
push ebx
push ecx
push edx
mov ebx,Checksums
mov ecx,[ChecksumIndex]
mov edx,[SizeOfAreaThisChecksumCovers]
mov [ebx+ecx*8],edx //backup size of checksum
mov [ebx+ecx*8+4],eax //backup checksum itself
inc [ChecksumIndex]
pop edx
pop ecx
pop ebx
popfd
add esp,0c
ret
AlreadyGotChecksums:
push ebx
push ecx
push edx
xor edx,edx
mov ebx,Checksums
mov ecx,[SizeOfAreaThisChecksumCovers]
GetNextValidChecksum:
cmp [ebx+edx*8],ecx
je ReturnValidChecksum
inc edx
jmp GetNextValidChecksum
ReturnValidChecksum:
mov eax,[ebx+edx*8+4] //Return That VALID Checksum :D
pop edx
pop ecx
pop ebx
popfd
add esp,0c
ret
GetChecksumsWhileCoveringTheseHooks:
push eax
mov eax,CheckRoutineHookAddress
cmp ecx,eax
jb SkipHidingTheseHooks
add eax,[SizeOfAreaToProtect]
cmp ecx,eax
jae SkipHidingTheseHooks
push ecx // this was the trick ;)
sub ecx,CheckRoutineHookAddress
add ecx,CorrectCheckBytes
movzx edi,byte ptr [ecx]
pop ecx
jmp SkipHidingTheseHooks+3
SkipHidingTheseHooks:
movzx edi,byte ptr [ecx]
pop eax
popfd
mov esi,eax
jmp ChecksumSpooferRet
SizeOfAreaToProtect:
dd 0
SizeOfAreaThisChecksumCovers:
dd 0
ChecksumIndex:
dd 0
Checksums: //enough room for 3 checksums + sizes
dd 0 0 0 0 0 0
CorrectCheckBytes:
dd 0
CheckRoutineHookAddress:
CheckRoutineHookAddy:
jmp IntegrityChecksumSpoofer
ChecksumSpooferRet:
[disable]
unregistersymbol(CheckRoutineHookAddy)
unregistersymbol(CallHook)
unregistersymbol(Checksums)
unregistersymbol(ChecksumIndex)
|
hehe That's the way to do it! xD A special note: this one can't be disabled! lol Not that you'd want to anyway!
_________________
|
|
| Back to top |
|
|
DDS
Expert Cheater
 Reputation: 3
Joined: 10 Feb 2011
Posts: 112
Location: Bill's Planet
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Thu Mar 14, 2013 2:18 pm Post subject: |
|
|
| DDS wrote: | Gud Job SteveAndrew
|
Thanks! Yeah this second version is way cooler! Glad I spent the time to make it
_________________
|
|
| Back to top |
|
|
Howard_Beale
How do I cheat?
![]() Reputation: 0
Joined: 01 Jun 2013
Posts: 2
|
| Posted: Sat Jun 01, 2013 11:18 am Post subject: Not working |
|
|
I am new to the Cheat Engine system (been using CheatHappens as they have yet to let me down until now) but the game is still crashing on me. I activate the Bypass and then the game crashes shortly after. Any advice?
_________________
I don't always talk to people with swag, but when I do, I order large fries. |
|
| Back to top |
|
|
lampuiho
Expert Cheater
![]() Reputation: 6
Joined: 16 Jan 2010
Posts: 122
|
| Posted: Tue Dec 03, 2013 9:10 am Post subject: |
|
|
| SteveAndrew wrote: | | DDS wrote: | Gud Job SteveAndrew
|
Thanks! Yeah this second version is way cooler! Glad I spent the time to make it |
how the hell did you find all those hash checking codes in the first place |
|
| Back to top |
|
|
Chris12
Expert Cheater
![]() Reputation: 1
Joined: 27 Apr 2012
Posts: 103
|
| Posted: Tue Dec 03, 2013 3:41 pm Post subject: |
|
|
| lampuiho wrote: | | SteveAndrew wrote: | | DDS wrote: | Gud Job SteveAndrew
|
Thanks! Yeah this second version is way cooler! Glad I spent the time to make it |
how the hell did you find all those hash checking codes in the first place |
I already posted the scanning method as well as a table to disable the protection one or two pages back!
In order to find the scanning and hashing code you just have to set a "read breakpoint" on a address that you know is being scanned.
For example the code that changes energy is scanned, so I set a breakpoint and find the code that does the hashes.
Next you just have to use a bit of lua (or the debugger and pen&paper) to log all hashes. |
|
| Back to top |
|
|
kiwi01
How do I cheat?
![]() Reputation: 0
Joined: 05 Jul 2013
Posts: 4
|
| Posted: Wed Apr 23, 2014 3:10 am Post subject: |
|
|
Thanks for your effort, going to try it now  |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
